Site comes down after two ZPanel official forum accounts are compromised.

Hackers compromised accounts belonging to maintainers of the open-source ZPanel after a team member supporting the Web hosting control panel called a critic a "fucken little know it all." The ZPanel site went completely down after the incident and remained down at time of writing.

ZPanel support member Nigel Caldwell made the comment in the site's official forums and it was directed at a user named joepie91. Shortly beforehand, the Netherlands-based software developer—whose real name is Sven Slootweg—claimed that websites using ZPanel in combination with certain modules were vulnerable to exploits that allowed attackers to remotely execute malicious code. Slootweg directed his statement at Caldwell, aka PS2Guy, after the support member left a comment saying ZPanel "is more secure than panels that you pay good money for." Caldwell also said users have "got more chance of someone hacking your Operating System than the control panel that sits on it."

In his response, Slootweg claimed there was an "arbitrary code execution and root escalation vulnerability in the current version of ZPanel." To support this, Slootweg provided an example line of code he said could be inserted into a main ZPanel template to trigger the vulnerability. Last month, Slootweg disclosed a ZPanel vulnerability here. Two weeks ago, he stepped up his criticism after claiming the vulnerability had gone unfixed. "I find it shameful that I even have to post here to point this out, to prevent someone from putting themselves at risk," Slootweg wrote in Wednesday's post on the ZPanel forum. "This should be the responsibility of the ZPanel team."

Caldwell then replied: "I'll let the Developers reply to you, because I can't really be fucked answering a fucken little know it all like you. Instead of saying this doesn't work and this is vulnerable, how about telling the boss (Ballen who [owns] a coding company and has worked with code for countless years and while I'm at it, wrote ZPanel 10 from scratch, how to fix it???????????????????????)"

In the hours that followed, forum accounts belonging to both Caldwell and Tom Gates, who is listed as head of ZPanel support, were found to be posting spoofed messages. "Hello," one fraudulent message posted from Caldwell's account read. "Recently we've realized that we cannot produce any secure code and have decided to shut down the project. Goodbye."

Bobby Allen, ZPanel's lead developer and the "Ballen" Caldwell had referred to earlier, confirmed to Ars that the forum accounts for two of the project's staff members were compromised. He said he took down the website shortly afterward. In an e-mail Allen wrote:

"It would appear that the attacker(s) have managed to get access through a member of our team's account (likely they found a password by hacking into their personal e-mail account or something along those line which gave them access to our forums but NOT our servers... the servers have been shutdown as a precaution)."

The forum account compromises came around the same time someone posted a screenshot that suggested someone's site had been hacked. It appeared to show someone logged in as root on a machine called "dexter," copying an archive of ZPanel files. There's also a list of passwords that purportedly belong to Allen, Gates, and other ZPanel staff members. When asked if the link contained real credentials, Allen said: "I do not know any of those passwords and my personal password (although my e-mail address is on the list) is not there! I would assume this is a fake!"

Allen went on to claim that the latest "stock" version of ZPanel is immune to the attacks Slootweg disclosed. "Only older versions of the control panel application are vulnerable to these attacks WHERE the user has installed a third-party module of which then enables uploads of custom themes of which can then lead to exploits," he wrote. "By default ZPanel does not allow the uploading of custom 'reseller' themes."

Without independent testing, there's no way to confirm if ZPanel is vulnerable to the alleged exploits Slootweg identified. What is clear, however, is the ZPanel maintainers have a lot to learn about security, not to mention better communication practices with users and critics.

Update:

After this article was published, ZPanel developer Kevin Andrews e-mailed Ars to say the server named dexter didn't belong to the open-source project and wasn't used to host its website or forums.

"I think this server belongs to tgates who is a staff member," Andrews wrote, referring to Tom Gates. "On the server he hosted a ZPanelCP Module Directory Application for users of ZPanel to search modules and download them. His application had a SQL Injection vulnerability which [the hackers] exploited."

He said ZPanel developers are aware of the vulnerability Slootweg disclosed.

"Basically if you as the ZPanel Administrator install a template which has malicious contained it could do some very nasty stuff to your server," he explained. "By default resellers and normal users of a ZPanel CAN'T install templates. So the only way your server could be compromised using this vulnerability is by installing a template which has nasty code added by the maker."

A web developer must be reasonably aware of security issues and best practices and must know what they need to entrust to more knowledgable developers to do the job properly. "Security expert" is a bit much to expect.

Read the announcement, it is core functionality implemented very poorly that allows the exploit. If someone reskins, using the built in functionality, the server is vulnerable. You have to supply third party code, but it's going through the main app's parser that should sanitize it.

Rule #1 about owning and operating a company is never insult your customers especially when they are coming to you with helpful advice.

and....

NEVER NEVER NEVER insult someone as an owner or as a representative of a company on the internet.

The internet is smarter, meaner, and much more ill tempered than you are. Never insult the internet.

I could be wrong but it seems to me that PS2GUY does not represent Bobby Allen's company, and that his company is not necessarily behind the development of ZPanel. It looks like Zpanel is a free open source software and that all this guys are just involved in the project, without belonging to the same company. The way I read it is that B Allen also happen to own a coding company. But again maybe I misread it ...

I know it's neither here nor there, but I'm glad after my initial testing I decided to go with ISPConfig for my servers rather than ZPanel. I thought ZPanel had a better overall user interface, especially for "dumb" users, but I thought ISPConfig was more comprehensive.

What really swayed me, however, was the support community. ISPConfig's developers are actively answering questions in the community in as professional a manner as possible, and the community-at-large is rather helpful. When I took a look at ZPanel's community forums, it was one humongous clusterfuck where nothing could easily be found and there was no useful information easily presented anywhere. That right there told me to stay away (along with the long history of security issues ZPanel has had).

Long story short, this article comes as no surprise to me just based on first impressions from first-hand experience with the product.

Well, the guy did right first by notifying them. When the idiots refused to fix their sh|t, he gave the notice publicly.

Taking the site down however .. well, whoever did that, needs to be burned alive.

If an entity repeatedly, actively refuses to fix a major security issue, sometimes the only responsible action is to publicly shame them.

This situation reminds me of the Ruby on Rails Mass Assignment issue, where the RoR developers didn't want to do anything to address the situation, and denied it was a problem... so the reporter used that issue to hack GitHub in a way that would force the Rails developer's hands.

The hacker's actions in this case seem a bit more malicious (claiming the project is shutting down and revealing passwords), so it's not exactly the same (the RoR MA guy's actions were how it should have been done... just make the ZPanel developers unable to deny the issue, without doing any damage). This might all just be a coincidence as well, right now there doesn't seem to be much reliable info to go on.

Well if we need to be absolutely literal, it should be "Happy Fun Ball", but, like, I really got the reference. If you want to be That Guy that always has to dampen all the Happy Fun time stuff, you're just asking to be Slootweged.

As far as the story goes, I'm not sure I'm ready to condemn Caldwell for his outburst and certainly not for wanting to ignore Slootweg. While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously. This is one part of the hack ethos I disagree with strongly. There is some belief that whatever tone or poor communication skills one possesses are entirely acceptable if you are trying to do what you think is right. It's gotten common enough that even professional writing in journals, periodicals, books, and professional blogs has come to accept poor tone and writing styles.

That means you're a shitty web developer. A web developer must be a security expert to do his job correctly.

Never have found one unfortunately, that is a web developer who was a security expert. Conversely, I have found many security experts who dabbled with web developer contract jobs when they wanted easy money.

The reality is there is nice money to be made doing security work throughout IT, and most of it is in infrastructure and boutique app development and validation. The pay scale for full time web devs is too low for many of them to have strong security knowledge, much less a basic knowledge of programing which leads to input validation and sanitation.

Generally, the best approach is to have developers put something together and have the better paid and more knowledgeable security and infrastructure guys review it. Unfortunately, this is only done at higher levels of security need because the number of times the reviewers will send back code and honestly tell the boss that the hours the devs have put in on the work is less than a quarter of what was billed / contracted is astounding.

The number of "web developers" who spend 4-6 hours putting pretty custom graphics and forms into a WordPress template and charge the customer $6-10k would make you cry. Even better when you get handed something to troubleshoot or validate that is all stock WordPress PHP and the original customer was told it was written, "custom, from the ground up" and the WordPress copyright files are still in the directory structure and several wp- directories abound.

As far as the story goes, I'm not sure I'm ready to condemn Caldwell for his outburst and certainly not for wanting to ignore Slootweb. While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously. This is one part of the hack ethos I disagree with strongly. There is some belief that whatever tone or poor communication skills one possesses are entirely acceptable if you are trying to do what you think is right. It's gotten common enough that even professional writing in journals, periodicals, books, and professional blogs has come to accept poor tone and writing styles.

That means you're a shitty web developer. A web developer must be a security expert to do his job correctly.

Never have found one unfortunately, that is a web developer who was a security expert. Conversely, I have found many security experts who dabbled with web developer contract jobs when they wanted easy money.

The reality is there is nice money to be made doing security work throughout IT, and most of it is in infrastructure and boutique app development and validation. The pay scale for full time web devs is too low for many of them to have strong security knowledge, much less a basic knowledge of programing which leads to input validation and sanitation.

Generally, the best approach is to have developers put something together and have the better paid and more knowledgeable security and infrastructure guys review it. Unfortunately, this is only done at higher levels of security need because the number of times the reviewers will send back code and honestly tell the boss that the hours the devs have put in on the work is less than a quarter of what was billed / contracted is astounding.

The number of "web developers" who spend 4-6 hours putting pretty custom graphics and forms into a WordPress template and charge the customer $6-10k would make you cry. Even better when you get handed something to troubleshoot or validate that is all stock WordPress PHP and the original customer was told it was written, "custom, from the ground up" and the WordPress copyright files are still in the directory structure and several wp- directories abound.

The stock WP installs are certainly a bit sad, but as one of those people who has forayed into the world of web development to help clean out a hacked server, securing WordPress is annoying but straightforward. The thing that made me want to cry was the site that did get the custom treatment -- by someone who was in way over their head. Outdated PHP? Check. No SQL validation? Check. Writing a silly web app to do what SFTP does only without the secure part? Check. Broken custom CMS which required the user deal directly with the database to post content? Check. And so on. The icing on the cake was that the server had never received a software update because the old web guy didn't give anyone the root password. After a few failed attempts, I tried the rack number for the server and got in just fine over SSH. I was obviously beat by the Tijuana pharmacy; apparently the ISP didn't need or want any email leads on cheap Viagra.

In other words: be thankful that some people have the sense to steal. At the top you've got great coders, at the bottom you've got people who just skate by with third-party solutions, and between them you've got a case study in the Dunning-Kruger effect.

I know it's neither here nor there, but I'm glad after my initial testing I decided to go with ISPConfig for my servers rather than ZPanel. I thought ZPanel had a better overall user interface, especially for "dumb" users, but I thought ISPConfig was more comprehensive.

What really swayed me, however, was the support community. ISPConfig's developers are actively answering questions in the community in as professional a manner as possible, and the community-at-large is rather helpful. When I took a look at ZPanel's community forums, it was one humongous clusterfuck where nothing could easily be found and there was no useful information easily presented anywhere. That right there told me to stay away (along with the long history of security issues ZPanel has had).

Long story short, this article comes as no surprise to me just based on first impressions from first-hand experience with the product.

I am actually a little surprised by this PS2Guy. Back when I was looking into Zpanel I noted many polite and exceptionally patient responses from the maintainers. It was one of the few things I really liked about Zpanel But, similar to you I noted that the documentation for the Linux version was abysmal, and the forum was full of dead links. They do not even have a working demo, and have not for many moons.

If I recall correct PS2Guy is not a coder, he was just part of their volunteer support staff for answering noob questions. I would not be surprised if he loses that status.

That means you're a shitty web developer. A web developer must be a security expert to do his job correctly.

It's an amazing quote that he'll hopefully one day be able to live down if he has the sense to learn anything from this.

While WordPress is not the paragon of security, it's gotten better (can't say the same for the plugin development crowd), but I remember seeing very similar reactions from Mullenweg when people were pointing out the flaws. He had a series of truly delusional blog posts where everything was blamed on everyone but the people that created WP, and every issue was labelled as "theoretical". It was totally douchey, kind of a douchebag trifecta:

-insult actual developers who understand the flaws by denying the existence of the problem-put your users in danger to save face-make the internet a little shittier for everyone by providing fodder for more botfarms

As far as the story goes, I'm not sure I'm ready to condemn Caldwell for his outburst and certainly not for wanting to ignore Slootweg. While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously. This is one part of the hack ethos I disagree with strongly. There is some belief that whatever tone or poor communication skills one possesses are entirely acceptable if you are trying to do what you think is right. It's gotten common enough that even professional writing in journals, periodicals, books, and professional blogs has come to accept poor tone and writing styles.

That means you're a shitty web developer. A web developer must be a security expert to do his job correctly.

Never have found one unfortunately, that is a web developer who was a security expert. Conversely, I have found many security experts who dabbled with web developer contract jobs when they wanted easy money.

The reality is there is nice money to be made doing security work throughout IT, and most of it is in infrastructure and boutique app development and validation. The pay scale for full time web devs is too low for many of them to have strong security knowledge, much less a basic knowledge of programing which leads to input validation and sanitation.

Generally, the best approach is to have developers put something together and have the better paid and more knowledgeable security and infrastructure guys review it. Unfortunately, this is only done at higher levels of security need because the number of times the reviewers will send back code and honestly tell the boss that the hours the devs have put in on the work is less than a quarter of what was billed / contracted is astounding.

The number of "web developers" who spend 4-6 hours putting pretty custom graphics and forms into a WordPress template and charge the customer $6-10k would make you cry. Even better when you get handed something to troubleshoot or validate that is all stock WordPress PHP and the original customer was told it was written, "custom, from the ground up" and the WordPress copyright files are still in the directory structure and several wp- directories abound.

Unfortunately a lot of the MBAs making the decisions about who to hire for which projects were apparently trained to "go for the expensive one." When dealing with topics over which they have no concept. I've seen websites "worth" 10K to 20K that my coders would've thrown together, more securely and functionally, in less than a week.

I don't care how many years you have under your belt or how good a programmer you think you are, nobody is above making mistakes and no software is completely secure. Hurling abuse at someone for pointing out a problem is profoundly unprofessional and shows an arrogant and blinkered attitude that just doesn't belong in the software development profession.

If you work in software development, professionally or as a hobby, you must always be prepared to accept that you'll make mistakes and be prepared to own them and fix them. You also have to be prepared to always be a student because there's always something new to learn. The day you think you know it all is the day you should quit.

Okay, hacking a site in revenge is going too far, but I still can't feel very sorry for these guys, by acting like a superior species they were more or less inviting an attack.

Unfortunately a lot of the MBAs making the decisions about who to hire for which projects were apparently trained to "go for the expensive one." When dealing with topics over which they have no concept. I've seen websites "worth" 10K to 20K that my coders would've thrown together, more securely and functionally, in less than a week.

This. My company recently brought on a sort-of replacement for the web-dev/designer who got frustrated and quit a few months ago.

He knows design. No backend, barely understands FTP, JS, PHP, etc, etc. That I had to give him unfettered access to the company's customer-facing sites makes me cringe hard. If I'm lucky, I can sell management on letting him design and send me the files and keep him the hell off my servers.

The bosses might know business, but they know dick about computers, networking, any of it. But they're the "smartest guys in the room" - god forbid they listen to lowly wage apes.

Unfortunately a lot of the MBAs making the decisions about who to hire for which projects were apparently trained to "go for the expensive one." When dealing with topics over which they have no concept. I've seen websites "worth" 10K to 20K that my coders would've thrown together, more securely and functionally, in less than a week.

This. My company recently brought on a sort-of replacement for the web-dev/designer who got frustrated and quit a few months ago.

He knows design. No backend, barely understands FTP, JS, PHP, etc, etc. That I had to give him unfettered access to the company's customer-facing sites makes me cringe hard. If I'm lucky, I can sell management on letting him design and send me the files and keep him the hell off my servers.

The bosses might know business, but they know dick about computers, networking, any of it. But they're the "smartest guys in the room" - god forbid they listen to lowly wage apes.

I think a two-person team is better.

One person to design, one person to code and admin. I can't speak to your situation, but good designers spend as much time studying design as we spend studying code. (I had the pleasure of working with a classically-trained designer.)

These are both specialized jobs, and we cannot expect one person to be great at both (unless they are a genius or something.)

As far as the story goes, I'm not sure I'm ready to condemn Caldwell for his outburst and certainly not for wanting to ignore Slootweg. While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously. This is one part of the hack ethos I disagree with strongly. There is some belief that whatever tone or poor communication skills one possesses are entirely acceptable if you are trying to do what you think is right. It's gotten common enough that even professional writing in journals, periodicals, books, and professional blogs has come to accept poor tone and writing styles..

Well, I work in client comms, and I am totally ready to condemn him.

It doesn't matter what the customer or user says to you; if you're representing your organisation, on a voluntary or paid basis, you should be courteous and professional at all times. If the red mist descends, you step away from the keyboard/phone and come back when you're a bit more sanguine about things.

Users and clients sometimes tell you important stuff in ways that you'd rather they didn't. This does not diminish the value of the information, and it does not give you a free pass to be an arsehole to them.

While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously.

Um... that's the dumbest thing said on this entire thread.

You're defending the guy who spewed this illiterate drivel:

"I'll let the Developers reply to you, because I can't really be fucked answering a fucken little know it all like you. Instead of saying this doesn't work and this is vulnerable, how about telling the boss (Ballen who [owns] a coding company and has worked with code for countless years and while I'm at it, wrote ZPanel 10 from scratch, how to fix it???????????????????????)"

And you're defending him by commenting on how the other guy can't communicate like an adult?

Someone in that conversation certainly sounds like an immature moron, but it sure isn't Slootweg.

The internet is smarter, meaner, and much more ill tempered than you are. Never insult the internet.

"One of the things you learn from years of dealing with Internet people, is that you can turn your back on a person, but never turn your back on the Internet. Especially when it's waving a razor-sharp exploit at your server."

As far as the story goes, I'm not sure I'm ready to condemn Caldwell for his outburst and certainly not for wanting to ignore Slootweg. While not professional on Caldwell's part, the lines he was getting from Slootweg lean on the know-it-all / immature side and people who can't communicate like adults shouldn't be taken seriously. This is one part of the hack ethos I disagree with strongly.

Slootweg has first contacted the vendor, then after months he posts on full disclosure. When he (rather understandably) annoyed tries to point out the problem again he gets a completely uncalled flame attack from a representative.